Vectra, a leader in network threat detection and response, has announced that the proliferation of healthcare Internet-of-Things (IoT) devices, along with unpartitioned networks, insufficient access controls and a reliance on legacy systems, has exposed a vulnerable attack surface that can be exploited by cybercriminals determined to steal personally identifiable information (PII) and protected health information (PHI), in addition to disrupting healthcare delivery processes.
Published in the Vectra 2019 Spotlight Report on Healthcare, these findings underscore the importance of utilising Machine Learning and Artificial Intelligence (AI) to detect hidden threat behaviours in enterprise IT networks before cybercriminals have a chance to spy, spread and steal.
Gaps in policies and procedures can result in errors by healthcare staff members. Examples of these errors include improper handling and storage of patient files, which is a soft spot for cybercriminals when they target global organisations and industries looking for weaknesses to exploit.
“The increase in medical IoT is beneficial for patients but makes securing healthcare systems a challenge due to limited security controls around these devices,” said Brett Walmsley, Chief Technology Officer at Bolton NHS Foundation Trust, which provides in-patient and out-patient healthcare services to over 140,000 people in Bolton and the surrounding area north-west of Manchester, England.
“Having the visibility to quickly and accurately detect threat behaviours on and between all devices is the key to good security practice, regulatory compliance and managing risk.”
The 2019 Spotlight Report on Healthcare is based on observations and data from the 2019 RSA Conference Edition of the Attacker Behavior Industry Report, which reveals behaviours and trends in networks from a sample of 354 opt-in enterprise organisations in healthcare and eight other industries. Motivated attackers often mask their malicious actions by blending in with existing network traffic behaviours.
From July through to December 2018, Vectra’s Cognito threat-detection and response platform monitored network traffic and collected metadata from more than three million workloads and devices from customer cloud, data centre and enterprise environments. The analysis of this metadata provides a better understanding about attacker behaviours and trends as well as business risks, enabling Vectra customers to avoid disastrous data breaches.
Key findings from the 2019 Spotlight Report on Healthcare report:
- The most prevalent method attackers use to hide command-and-control communications in healthcare networks was hidden HTTPS tunnels. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic.
- The most common method attackers use to hide data exfiltration behaviours in healthcare networks was hidden domain name system (DNS) tunnels. Behaviours consistent with exfiltration can also be caused by IT and security tools that use DNS communication.
- Vectra observed a spike in behaviours consistent with attackers performing internal reconnaissance in the form of internal dark net scans and Microsoft Server Message Block (SMB) account scans. Internal dark net scans occur when internal host devices search for internal IP addresses that do not exist on the network. SMB account scans occur when a host device rapidly makes use of multiple accounts via the SMB protocol that is typically used for file sharing.
- While many healthcare organisations experienced ransomware attacks in recent years, the report found that ransomware threats were not as prevalent in the second half of 2018. It is still important to catch ransomware attacks early, before files are encrypted and clinical operations are disrupted.
- Botnet attacks are opportunistic and are not targeted at specific organisations. While botnet attacks persist everywhere, their rate of occurrence in healthcare is lower than other industries.
“Healthcare organisations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information,” said Chris Morales, Head of Security Analytics at Vectra. “Improving visibility into network behaviour enables healthcare organisations to manage risk of legacy systems and new technology they embrace.”
The Cognito platform accelerates network threat detection and response using sophisticated Artificial Intelligence to collect, enrich and store network metadata with the right context to detect, hunt and investigate hidden threats in real time.
The Cognito platform scales efficiently to the largest organisation’s networks with a distributed architecture that includes a mix of physical, virtual and cloud sensors to provide 360-degree visibility across cloud, data centre, user and IoT networks, leaving attackers with nowhere to hide.